Interview: Jonathan Goldberger: SVP of Security Practice, TPx

Posted by Steve Alder

The HIPAA Journal has spoken with Jonathan Goldberger, Senior Vice President of Security Practice, at TPx, a leading provider of managed IT services, unified communications-as-a-service (UCaaS), secure networks, and cybersecurity services to find out more about his experiences as an MSP providing IT services to healthcare organizations.

Jonathan Goldberger, Senior Vice President, Security Practice at TPx

Tell the readers about your career in the healthcare industry

My security career started with financial services. I worked in Wall Street for four years, and after I left, I got involved in risk management consulting. This was around 2000 when HIPAA started going into effect, and it was here that I started working with healthcare organizations to help them incorporate HIPAA controls, secure their networks and perimeters, and implement risk mitigation. From that point forward, I continued to work with security companies, helping healthcare organizations with the complexity of their IT and security infrastructure.

What was your first position?

I graduated from the University of Alabama and was offered a role working on the university’s mainframe center. It was where I began my passion for IT because it combined something that is very technical in nature with the ability to work with people. Since that time, I’ve held several different technical and leadership roles in the IT and cybersecurity space.

What is your current position?

I am currently the SVP of Security Practice at TPx, where I lead a team of technical resources who partner with companies in all industries to create a security framework that works for their organization. When it comes to cybersecurity, there is no one-size-fits-all approach. Companies need to customize their solutions to meet their specific needs, and every business is different. The healthcare industry has a very particular set of challenges they face daily, and there’s a wide range of compliance requirements that IT providers must know to be effective in the industry. It’s not just HIPAA either; now, state and local governments are passing their own data privacy laws that organizations must comply with on top of federal and industry regulations. Working for TPx, I’m in a unique position to shape technology and security solutions that will help healthcare organizations be strategic in solving the IT challenges they face, strengthening their cybersecurity, and complying with industry regulations.

Tell the readers about any significant event in your career.

During my career, I ran consulting for a very large security and network company, where I worked with a prominent nationwide healthcare organization that was implementing security controls and protections across its network. One of the solutions, Network Access Control (NAC), was implemented with the goal of ensuring no unauthorized devices could gain access and traverse the network. This was a way we could prevent any malicious traffic from getting on the network. I remember sitting down with the CISO and her saying you must capture all the medical devices; you can’t miss any of them. If a medical device can’t get on the network, it affects people’s lives. There is no room for error. We have to make sure that we’re allowing the right devices on the network while still inhibiting malicious devices from gaining access. It was truly an eye-opening experience. In any other industry, having a false positive and not allowing a machine on the network may not have life or death consequences – but in healthcare, it does. If a machine can’t get on the network, there are significant repercussions that are much more than just financial. As a security professional, it made me realize the role we are playing in making sure that the IT is secure and optimized so that healthcare providers can focus on patient care.

Are you working on any interesting projects?

What makes my role so unique is that everything I work on is interesting because no two projects are the same. Every organization has a unique set of circumstances, and while we’re all working toward the same objective — keeping organizations and their data safe — how we get there is never the same. Take small and medium-sized healthcare organizations, for example. They often don’t have the capital to hire all these IT experts and security strategists, so the work we’re doing at TPx is vital. We’re able to address these unique IT challenges organizations face and create more modernized solutions for them to achieve secure outlines and compliance with evolving regulatory requirements.

What products/services do you provide for the healthcare industry and what is unique about them?

TPx offers a full suite of managed IT services, including internet, networking, cloud communications, and security. Our HIPAA-compliant solutions help healthcare providers improve the operations and security of their IT infrastructure. We also offer comprehensive Security Advisory Services that help hospitals, doctors, and mental health professionals understand their security vulnerabilities and identify gaps in their organization’s cybersecurity. The information gained from those services and assessments helps healthcare organizations to define a security strategy and become defensible for the compliance that is required of them. It’s important that organizations are not only being defensible but can also show their defensibility when needed. That’s why we offer a security program dashboard so that organizations can quickly and easily see the state of their security program, what security controls they have in place, and how they are meeting compliance requirements for HIPAA, Sarbanes Oxley, and more in a single place. When an auditor comes in, organizations are at an advantage and can quickly show their defensibility through this dashboard. But beyond the technology, TPx acts as a partner for healthcare providers and provides “wellness checks” to ensure their IT infrastructure is healthy, networks are optimized, systems are secure, and compliance requirements are being met.

When did you first get involved with HIPAA compliance?

I first got involved in HIPAA compliance when it first came out. At that point in my career, I was working in risk management consulting and had been using industry best practices as a baseline for our consulting services. At the organization I worked for, we had a healthcare expert on staff who sat us down and really went through all the HIPAA requirements and how they translated to an organization’s IT needs. Her name was Mame Gordan, and she really gave the best advice I’ve ever received associated with compliance, which is it’s hard to be 100% compliant. The goal of any compliance program should be defensibility. That’s really the goal of any security program or gap assessment. Are you defensible to the regulations required of you? Because when an auditor comes in, they have an interpretation of what they see, which ultimately leads to their findings. Organizations should always focus on the outcome of being defensible because that level of defensibility ultimately helps protect the organization and results in better audit outcomes.

What are your main challenges regarding HIPAA?

Too often, we see that organizations just want to check the box when it comes to HIPAA compliance. When really HIPAA should be one aspect of a security program. The real outcome is about protecting patient data and the healthcare organization through a comprehensive security program, but a byproduct of it is being defensible to various regulatory requirements, like HIPAA, that providers need to meet. Many organizations need to shift their thinking when it comes to HIPAA compliance. It needs to be less about checking the box and more about protecting data and being defensible. When you have a broad security program that encompasses security controls and protections, you can show your defensibility to the regulations of today but also the regulations of tomorrow. Regulatory requirements are constantly adapting and evolving, so having a strong security program in place ensures you may only have to tweak certain aspects versus doing a heavy lift to comply with new regulatory standards. Organizations should always focus on their program versus the specific controls of compliance – it ultimately puts you in a better position as regulations evolve.

Do you have any predictions for the future of HIPAA?

As cybersecurity threats continue to evolve, HIPAA regulations will evolve as well. There won’t be less requirements. This will really be the case for all regulations, not just HIPAA. Healthcare providers must adopt security programs that can continue to evolve and mature because there will only be more regulatory requirements that organizations must meet. It’s not enough to say you have a policy or a program – you must prove that you’re actually doing it and have been doing it consistently. That evolution we’ve already seen in other regulations, like the Safeguards Rule. It’s now equally as important that you show there is a security practitioner who is maintaining the program as having the program in place.

Do you have any predictions for the future of healthcare regulation?

Healthcare regulation will also continue to evolve. I think we will see that the complexity of these regulations will only increase. Now, more and more states are driving their own data privacy and security requirements, so if you’re a healthcare provider that has citizens in different states, you will have a much more complex regulatory landscape. Predicting the requirements of these regulations might be difficult, but that doesn’t mean organizations can’t prepare for what’s to come. That’s why, when it comes to technology, they must put in place a security program that can grow and evolve as their company and regulatory requirements evolve.

Do you have any predictions for the future of healthcare technology?

Healthcare technology is going to continue to evolve to provide greater efficiencies for healthcare organizations, from adding in automation as much as possible to continuing the evolution of virtual healthcare. Automation will also utilize more AI to make them as cost-effective as possible. I think there is a very realistic scenario that we will call into a provider and have AI that is helping us deduce what the actual issue is and make recommendations without being an actual doctor. Technology will continue to evolve, but the security concerns won’t go away. Healthcare organizations must continue to prioritize their security programs and adapt them as new technologies emerge.

Do you have any predictions for the future of the healthcare industry?

Privacy and security are becoming a daily topic for so many healthcare professionals, especially with information existing in so many different places and technologies. All healthcare organizations will need to prioritize a comprehensive security program as they adopt new technologies and modernize to the cloud. And security and compliance are no longer just for large organizations. Every healthcare organization must make it a top priority to become defensible.

Do you have anything else interesting to share with readers?

Achieving compliance and maintaining cybersecurity doesn’t have to be an unattainable prospect. Companies need to look to the right partner — one who knows the landscape, one who looks at compliance as a program versus an action, and a partner who seeks to incorporate automation and orchestration in their solutions. Defensibility and strategic success are closer than companies realize.

You can contact and connect with Jonathan Goldberger via LinkedIn: https://www.linkedin.com/in/jonathangoldberger/

 

The post Interview: Jonathan Goldberger: SVP of Security Practice, TPx appeared first on HIPAA Journal.

CISA and FBI Update AvosLocker Ransomware Cybersecurity Advisory

Posted by Steve Alder

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an update on AvosLocker ransomware, which includes known indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with the AvosLocker ransomware variant.

AvosLocker is a relatively new ransomware-as-a-service operation that was first identified in July 2021. While the group is not as prominent as LockBit Clop, and ALPHV (BlackCat), AvosLocker ransomware affiliates have compromised organizations across multiple critical infrastructure sectors. The group engages in exfiltration-based extortion, requiring the payment of a ransom to prevent the release of stolen data and for the keys to decrypt files.

AvosLocker affiliates use legitimate software and open source tools during their ransomware operations. The group has been observed using Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent as backdoor access vectors, the open source networking tunneling tools Ligolo and Chisel, Cobalt Strike for command and control, PowerShell and batch (.bat) scripts for lateral movement, Lazagne and Mimikatz for credential harvesting, and FileZilla and Rclone for data exfiltration. The FBI has also observed affiliates using custom webshells to enable network access.

The cybersecurity advisory updates the joint advisory issued the FBI, CISA, and the Treasury’s Financial Crimes Enforcement Network (FinCEN) in March 2023 and includes a YARA rule that was created by the FBI for detecting a signature for a file identified as enabling malware – NetMonitor.exe. NetMonitor.exe masquerades as a legitimate process but functions like a reverse proxy to allow affiliates to connect to the tool from outside the victim’s network. Indicators of Compromise (IoCs) have also been shared that were obtained from investigations of attacks from January 2023 to March 2023, along with recommended mitigations to reduce the risk of compromise by AvosLocker ransomware.

The post CISA and FBI Update AvosLocker Ransomware Cybersecurity Advisory appeared first on HIPAA Journal.

Editorial: 7 Ways AI Can be Used by Hackers to Steal Healthcare Data

Posted by Steve Alder

Artificial Intelligence (AI) is transforming the delivery of healthcare in the United States. It is also responsible for one of the biggest threats to the delivery of healthcare in the United States – the theft of healthcare data.

AI has been described as a double-edged sword for the healthcare industry. AI-based systems can analyze huge volumes of data and detect diseases at an early and treatable stage, they can diagnose symptoms faster than any human, and AI is helping with drug development, allowing new life-saving drugs to be identified and brought to market much quicker and at a significantly lower cost. However, AI can also be used by cybercriminals to bypass security defenses and steal healthcare data in greater volumes than ever before – potentially disrupting healthcare operations, affecting health insurance transactions, and preventing patients from receiving timely and effective treatment. This article discusses seven ways AI can be used by hackers to steal healthcare data and suggests ways that healthcare organizations can better prepare for future AI-driven and AI-enhanced attacks.

7 Ways AI Can be Used by Hackers to Steal Healthcare Data

The Increased Threat from AI-Enhanced Phishing Emails

Generative AI models are capable of generating text, images, and other media, and can be used to craft flawless phishing emails that lack the red flags that allow them to be identified as malicious. Security researchers have shown that generative AI is capable of social engineering humans, and AI algorithms can be used to collate vast amounts of personal information about individuals, assisting hackers in crafting highly convincing spear phishing emails.

While this development alone is cause for concern, what is more worrying is AI significantly lowers the bar for conducting phishing campaigns opening. Hackers do not need to be skilled at spear phishing, and AI removes any language constraints. Any bad actor can take advantage of generative AI software to launch spear phishing campaigns at scale to obtain users’ login credentials, deploy malware, and steal healthcare data.

Malicious Emails Written by AI are More Likely to Bypass Email Filters

AI-produced malicious emails are more likely to bypass email filters than malicious emails produced manually. The emails use perfect grammar, lack spelling mistakes, use novel lures, target specific recipients, and are often sent from trusted domains. Combined, this results in a low detection rate by traditional email security gateways and email filters.

AI has also been leveraged to combine obfuscation, text manipulation, and script mixing techniques to create unique emails that are difficult for cybersecurity solutions to identify as malicious. Manually coding these evasive tactics can be a time-consuming process that is prone to error. By leveraging AI, highly evasive email campaigns can be developed in minutes rather than hours.

Most Antivirus Software Cannot Detect Polymorphic Malware

Polymorphic malware is malware that modifies its structure and digital appearance continuously. Traditional antivirus software detects malware based using known virus patterns or signatures and cannot detect this type of threat because polymorphic malware is capable of mutating, rewriting its code, and modifying its signature files.

Polymorphic malware is not specific to AI. Hackers have been programming malware to continuously rewrite its code, and it poses a major challenge for network defenders as it is capable of evading traditional cybersecurity solutions. However, when polymorphic malware is created by AI, code complexity and delivery speed increase – escalating the threat to network security, computer systems, and healthcare data while lowering the entry bar for hackers with limited technical ability.

Brute Force Password Cracking is Quicker with AI

Brute force password cracking is a technique for automating login attempts using all possible character combinations, By using the latest, powerful GPUs, hackers can attempt logins at a rate of thousands of potential passwords per second. In May, we reported on how advances in computer technology were reducing the length of time it takes to crack passwords by brute force and – to demonstrate – published the following Hive Systems table.

Time it takes a hacker to brute force your password in 2023. Source: Hive Systems

Since then, Hive Systems has recalculated these times to demonstrate the potential of using GPUs with AI hardware. It is important to note that these tables compare the times it takes to crack random MD5 hashed passwords. Passwords that include names, dictionary words, sequential characters, commonly used passwords, and recognizable keystroke patterns (i.e., “1qaz2wsx”) will take far less time to crack.

Using ChatGPT hardware to brute force your password in 2023. Source: Hive Systems

AI Can Find Vulnerabilities and Unprotected Databases Faster

AI-driven software not only analyzes software and systems to predict vulnerabilities before patches are available, but can trawl cybersecurity forums, chat rooms, and other sources to detect vulnerability and hacking trends. The speed at which hackers can move using AI reduces the time security teams have to detect and address vulnerabilities before the vulnerabilities are exploited, from a few weeks to days or even hours.

Additionally, the attack surface has grown considerably in healthcare due to the number of connected devices, providing even more potential targets for breaching internal networks. Hackers can use AI to exploit vulnerabilities in IoT and IoMT devices – or in their connections – to gain access to networks and steal healthcare data. Alternatively, hackers could use AI to manipulate patient data or alter the function of medical devices to target patients.

Hackers can Manipulate Customer Service Chatbots

Conversational AI chatbots (rather than rule-based chatbots) can be manipulated by hackers using a process known as jailbreaking to bypass the chatbot’s guardrails. The process can be used to extract healthcare data from a chatbot on a hospital website or get the chatbot to send healthcare data to the hacker each time the chatbot service is used by a patient.

A similar threat made possible by AI is indirect prompt injection. In this process, adversarial instructions are introduced by a third-party data source such as a web search or API call, rather than directly, which could be via a website or social media post. The injection indirectly alters the behavior of the chatbot to turn it into a social engineer capable of soliciting and stealing sensitive information.

AI Can be Used to Bypass CAPTCHA

CAPTCHA is used by more than 30 million websites to prevent bots from accessing the website, especially malicious bots looking for website vulnerabilities and poorly protected databases. AI-enhanced robotic process automation bots can be trained to learn the source code for CAPTCHA challenges or use optical character recognition to solve the challenges.

CAPTCHA is effective, but can no longer be used to shore up the security of poorly configured websites as AI allows CAPTCHA challenges to be successfully navigated. Thereafter, they can exploit vulnerabilities and steal healthcare data from poorly protected databases, or bombard the server in a DDoS attack to render the website unavailable.

How to Better Prepare for Future Attacks on Healthcare Data

AI can be leveraged by malicious actors to increase the sophistication of their attacks and conduct them in far greater numbers. Legacy defenses and security awareness training will not be enough to prevent employees from interacting with email-borne threats and hackers from infiltrating information systems. Therefore, healthcare organizations and other businesses maintaining healthcare data need to take proactive steps to defend against the malicious use of AI-based systems.

Measures organizations can implement include advanced email filters that support first/infrequent contact safety, mailbox intelligence protection, and zero hour auto purge to retrospectively delete emails if they are weaponized after delivery. If not already implemented, data loss prevention solutions should be considered to protect against hackers using AI to steal healthcare data.

Other ways in which healthcare organizations can prepare for future attacks on healthcare data include supporting existing signature-based antivirus software with extended detection and response solutions, replacing conversational chatbots with rule-based chatbots, and deploying click fraud software that can distinguish between human interactions and bot-driven activity.

One area of preparedness all healthcare organizations should review is password complexity and security. Due to the AI resources available to hackers, it is recommended all passwords are a minimum of fourteen characters in length and contain a random combination of numbers, upper and lower case letters, and symbols. A password manager should be used as it can generate truly random strings of characters for passwords and store them securely in an encrypted password vault.

AI Will Make Cybersecurity More Difficult for the Unprepared

While there are many ways that AI can be used by hackers, AI tools are currently being used to a limited extent by malicious actors but we are already at a stage where it is no longer a case of if these and other novel techniques will be used, but when. Furthermore, because of the ease with which AI generative tools can be used to craft sophisticated phishing emails, write malicious code, and crack passwords, the threshold has been lowered for the skills required to launch attacks on healthcare data.

While many of the measures suggested to prepare for future attacks on healthcare data are likely to incur costs, the alternatives are disruptions to healthcare operations, delayed insurance authorizations, and a fall in the standard of healthcare being provided to patients – notwithstanding that the failure to implement safeguards to protect against these new threats could also result in enforcement action by the HHS’ Office for Civil Rights, Federal Trade Commission, and state Attorneys General.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: 7 Ways AI Can be Used by Hackers to Steal Healthcare Data appeared first on HIPAA Journal.

FREE WEBINAR: Smarter HIPAA Incident Management

Posted by Ian

HIPAA Risk AssessmentDiscover how to replace scattered HIPAA incident reports with a single, streamlined system that keeps you audit ready and in control. It’s time to stop chasing HIPAA incident information and investigations across emails, spreadsheets, and shared drives. Learn a smarter HIPAA incident approach that simplifies HIPAA audits and consistently manages HIPAA incidents.

Join The Compliancy Group for a practical live webinar showing how organizations can centralize HIPAA hotline reporting and HIPAA incident management to stay audit-ready and move from ad hoc response to proactive management.

Webinar attendees will learn how to:

  • Collect hotline reports from employees, patients, vendors, and third parties in one secure system
  • Automatically route and escalate HIPAA incidents for faster, more consistent response
  • Manage consistently investigations, evidence, and remediation in a single system
  • Identify HIPAA incident trends and potential risk areas before they become major problems
  • Confidently share with executives, boards, and regulators with audit-ready reports

Why Attend?

You’ll learn a clearer, more structured approach to HIPAA incident management, and have the confidence that your process can stand up to internal reviews, external audits, and management reporting.

Reserve your free webinar seat today and learn how to turn HIPAA incident management into a streamlined, audit ready process that you can control with confidence.

WEBINAR DETAILS

 WEBINAR CLOSED

Speaker: Liam Degnan, Director, Solutions Engineering, Compliancy Group

Speaker: Anne Marie Anderson, Director of Compliance Content, Compliancy Group

 

Liam Degnan Compliancy GroupSpeaker: Liam Degnan, Director, Solutions Engineering

Liam Degnan has an 8+ year history of experience combining risk management, SaaS sales, and regulatory compliance in the healthcare space. As Compliancy Group’s Senior Solutions Engineer, he advises healthcare decision-makers, healthcare providers, and medical vendors. He speaks on a variety of platforms and topics, with an emphasis on simplifying HIPAA, OSHA, SOC 2, and other general healthcare compliance regulations.

 

Speaker: Anne Marie Anderson, Director of Compliance Content, Compliancy Group 

Anne Marie Anderson is a licensed attorney in Michigan and Massachusetts with more than 25 years of experience in legal and compliance leadership. As Compliancy Group’s Director of Compliance Content and a former Compliance Officer, she supports organizations in strengthening their compliance programs by closing gaps and reducing both financial and reputational risk. Anne Marie brings a wealth of experience in healthcare law and regulatory compliance, including HIPAA, Medicare, fraud and abuse, and the Anti-Kickback Statute.

The post FREE WEBINAR: Smarter HIPAA Incident Management appeared first on The HIPAA Journal.